diff --git a/dnssec-trigger-default.conf b/dnssec-trigger-default.conf
new file mode 100644
index 0000000..cc18335
--- /dev/null
+++ b/dnssec-trigger-default.conf
@@ -0,0 +1,99 @@
+# Fedora/EPEL version of dnssec-trigger.conf
+
+# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
+# verbosity: 1
+
+# pidfile location
+pidfile: "/var/run/dnssec-triggerd.pid"
+
+# log to a file instead of syslog, default is to syslog
+# logfile: "/var/log/dnssec-trigger.log"
+
+# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
+# use-syslog: yes
+
+# chroot to this directory
+# chroot: ""
+
+# the unbound-control binary if not found in PATH.
+# commandline options can be appended "unbound-control -c my.conf" if you wish.
+# unbound-control: "/usr/sbin/unbound-control"
+
+# where is resolv.conf to edit.
+# resolvconf: "/etc/resolv.conf"
+
+# the domain example.com line (if any) to add to resolv.conf(5). default none.
+# domain: ""
+
+# domain name search path to add to resolv.conf(5). default none.
+# the search path from DHCP is not picked up, it could be used to misdirect.
+# search: ""
+
+# the command to run to open login pages on hot spots, a web browser.
+# empty string runs no command.
+# login-command: "xdg-open"
+
+# the url to open to get hot spot login, it gets overridden by the hotspot.
+# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
+# should to be a ttl=0 entry
+login-location: "http://hotspot-nocache.fedoraproject.org/"
+
+# do not perform actions (unbound-control or resolv.conf), for a dry-run.
+# noaction: no
+
+# port number to use for probe daemon.
+# port: 8955
+
+# keys and certificates generated by the dnssec-trigger-keygen systemd service
+# (which called dnssec-trigger-control-setup)
+server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
+server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
+control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
+control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
+
+# check for updates, download and ask to install them (for Windows, OSX).
+# check-updates: no
+
+# webservers that are probed to see if internet access is possible.
+# They serve a simple static page over HTTP port 80.  It probes a random url:
+# after a space is the content expected on the page, (the page can contain
+# whitespace before and after this code).  Without urls it skips http probes.
+
+# provided by NLnetLabs
+# It is provided on a best effort basis, with no service guarantee.
+# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+
+# provided by FedoraProject
+url: "http://fedoraproject.org/static/hotspot.txt OK"
+
+# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
+# the following on one line: ssl443:<space><IP><space><HASHoutput>
+# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
+# You can add more with extra config lines.
+
+# Provided by fedoraproject.org, #fedora-admin
+# It is provided on a best effort basis, with no service guarantee.
+ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  140.211.169.201
+ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  66.35.62.163 
+ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  152.19.134.150 
+ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
+
+# provided by Paul Wouters (pwouters@redhat.com)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80:  193.110.157.123
+# tcp80:  2001:888:2003:1004::123
+# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+
+# provided by NLnetLabs (www.nlnetlabs.nl)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80: 213.154.224.3
+# tcp80: 2001:7b8:206:1:bb::
+# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+
diff --git a/dnssec-trigger-workstation.conf b/dnssec-trigger-workstation.conf
new file mode 100644
index 0000000..78b0cc6
--- /dev/null
+++ b/dnssec-trigger-workstation.conf
@@ -0,0 +1,101 @@
+# Fedora/EPEL version of dnssec-trigger.conf
+
+# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
+# verbosity: 1
+
+# pidfile location
+pidfile: "/var/run/dnssec-triggerd.pid"
+
+# log to a file instead of syslog, default is to syslog
+# logfile: "/var/log/dnssec-trigger.log"
+
+# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
+# use-syslog: yes
+
+# chroot to this directory
+# chroot: ""
+
+# the unbound-control binary if not found in PATH.
+# commandline options can be appended "unbound-control -c my.conf" if you wish.
+# unbound-control: "/usr/sbin/unbound-control"
+
+# where is resolv.conf to edit.
+# resolvconf: "/etc/resolv.conf"
+
+# the domain example.com line (if any) to add to resolv.conf(5). default none.
+# domain: ""
+
+# domain name search path to add to resolv.conf(5). default none.
+# the search path from DHCP is not picked up, it could be used to misdirect.
+# search: ""
+
+# the command to run to open login pages on hot spots, a web browser.
+# empty string runs no command.
+# login-command: "xdg-open"
+login-command: ""
+
+# the url to open to get hot spot login, it gets overridden by the hotspot.
+# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
+# should to be a ttl=0 entry
+# login-location: "http://hotspot-nocache.fedoraproject.org/"
+
+# do not perform actions (unbound-control or resolv.conf), for a dry-run.
+# noaction: no
+
+# port number to use for probe daemon.
+# port: 8955
+
+# keys and certificates generated by the dnssec-trigger-keygen systemd service
+# (which called dnssec-trigger-control-setup)
+server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
+server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
+control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
+control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
+
+# check for updates, download and ask to install them (for Windows, OSX).
+# check-updates: no
+
+# webservers that are probed to see if internet access is possible.
+# They serve a simple static page over HTTP port 80.  It probes a random url:
+# after a space is the content expected on the page, (the page can contain
+# whitespace before and after this code).  Without urls it skips http probes.
+
+# provided by NLnetLabs
+# It is provided on a best effort basis, with no service guarantee.
+# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+
+# provided by FedoraProject
+# on Workstation, the detection is turned off
+# url: "http://fedoraproject.org/static/hotspot.txt OK"
+
+# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
+# the following on one line: ssl443:<space><IP><space><HASHoutput>
+# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
+# You can add more with extra config lines.
+
+# Provided by fedoraproject.org, #fedora-admin
+# It is provided on a best effort basis, with no service guarantee.
+ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  140.211.169.201
+ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  66.35.62.163 
+ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  152.19.134.150 
+ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
+
+# provided by Paul Wouters (pwouters@redhat.com)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80:  193.110.157.123
+# tcp80:  2001:888:2003:1004::123
+# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+
+# provided by NLnetLabs (www.nlnetlabs.nl)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80: 213.154.224.3
+# tcp80: 2001:7b8:206:1:bb::
+# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+
diff --git a/dnssec-trigger.conf b/dnssec-trigger.conf
deleted file mode 100644
index cc18335..0000000
--- a/dnssec-trigger.conf
+++ /dev/null
@@ -1,99 +0,0 @@
-# Fedora/EPEL version of dnssec-trigger.conf
-
-# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
-# verbosity: 1
-
-# pidfile location
-pidfile: "/var/run/dnssec-triggerd.pid"
-
-# log to a file instead of syslog, default is to syslog
-# logfile: "/var/log/dnssec-trigger.log"
-
-# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
-# use-syslog: yes
-
-# chroot to this directory
-# chroot: ""
-
-# the unbound-control binary if not found in PATH.
-# commandline options can be appended "unbound-control -c my.conf" if you wish.
-# unbound-control: "/usr/sbin/unbound-control"
-
-# where is resolv.conf to edit.
-# resolvconf: "/etc/resolv.conf"
-
-# the domain example.com line (if any) to add to resolv.conf(5). default none.
-# domain: ""
-
-# domain name search path to add to resolv.conf(5). default none.
-# the search path from DHCP is not picked up, it could be used to misdirect.
-# search: ""
-
-# the command to run to open login pages on hot spots, a web browser.
-# empty string runs no command.
-# login-command: "xdg-open"
-
-# the url to open to get hot spot login, it gets overridden by the hotspot.
-# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
-# should to be a ttl=0 entry
-login-location: "http://hotspot-nocache.fedoraproject.org/"
-
-# do not perform actions (unbound-control or resolv.conf), for a dry-run.
-# noaction: no
-
-# port number to use for probe daemon.
-# port: 8955
-
-# keys and certificates generated by the dnssec-trigger-keygen systemd service
-# (which called dnssec-trigger-control-setup)
-server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
-server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
-control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
-control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
-
-# check for updates, download and ask to install them (for Windows, OSX).
-# check-updates: no
-
-# webservers that are probed to see if internet access is possible.
-# They serve a simple static page over HTTP port 80.  It probes a random url:
-# after a space is the content expected on the page, (the page can contain
-# whitespace before and after this code).  Without urls it skips http probes.
-
-# provided by NLnetLabs
-# It is provided on a best effort basis, with no service guarantee.
-# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
-
-# provided by FedoraProject
-url: "http://fedoraproject.org/static/hotspot.txt OK"
-
-# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
-# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
-# the following on one line: ssl443:<space><IP><space><HASHoutput>
-# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
-# You can add more with extra config lines.
-
-# Provided by fedoraproject.org, #fedora-admin
-# It is provided on a best effort basis, with no service guarantee.
-ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  140.211.169.201
-ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  66.35.62.163 
-ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  152.19.134.150 
-ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
-tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
-
-# provided by Paul Wouters (pwouters@redhat.com)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80:  193.110.157.123
-# tcp80:  2001:888:2003:1004::123
-# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
-
-# provided by NLnetLabs (www.nlnetlabs.nl)
-# It is provided on a best effort basis, with no service guarantee.
-# tcp80: 213.154.224.3
-# tcp80: 2001:7b8:206:1:bb::
-# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
-
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index 7764be9..46b1d2d 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -5,7 +5,7 @@
 Summary: Tool for dynamic reconfiguration of validating resolver Unbound
 Name: dnssec-trigger
 Version: 0.13
-Release: 0.1%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist}
+Release: 0.2%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
 %if 0%{?svn_snapshot:1}
@@ -14,8 +14,9 @@ Source0: %{name}-%{version}_%{svn_snapshot}.tar.gz
 %else
 Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
 %endif
-Source1: dnssec-trigger.conf
-Source2: dnssec-trigger.tmpfiles.d
+Source1: dnssec-trigger.tmpfiles.d
+Source2: dnssec-trigger-default.conf
+Source3: dnssec-trigger-workstation.conf
 
 # Patches
 Patch0: dnssec-trigger-0.13-Set-PidFile-in-the-dnssec-triggerd.service-file.patch
@@ -44,6 +45,10 @@ Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 
+# Provides Workstation specific configuration
+# - No captive portal detection and no action available on Captive portal (No UI)
+Provides: variant_config(Workstation)
+
 %description
 dnssec-trigger reconfigures the local Unbound DNS server. Unbound is a
 resolver performing DNSSEC validation. dnssec-trigger is a set of daemon
@@ -91,7 +96,8 @@ rm -rf %{buildroot}
 %{__make} DESTDIR=%{buildroot} install
 
 install -d 0755 %{buildroot}%{_unitdir}
-install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/
+install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/
 
 mkdir -p %{buildroot}%{_libexecdir}
 
@@ -99,7 +105,7 @@ desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-p
 
 # install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir
 mkdir -p %{buildroot}%{_tmpfilesdir}
-install -m 644 %{SOURCE2} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf
+install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf
 # we must create the /var/run/dnssec-trigger directory
 mkdir -p %{buildroot}%{_localstatedir}/run
 install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}
@@ -129,6 +135,23 @@ fi
 %postun
 %systemd_postun_with_restart %{name}d.service
 
+%posttrans
+# If we don't yet have a symlink or existing file for dnssec-trigger.conf,
+# create it..
+if [ ! -e %{_sysconfdir}/%{name}/dnssec-trigger.conf ]; then
+    # Import /etc/os-release to get the variant definition
+    . /etc/os-release || :
+
+    case "$VARIANT_ID" in
+        workstation)
+            ln -sf %{name}-workstation.conf %{_sysconfdir}/%{name}/dnssec-trigger.conf || :
+            ;;
+        *)
+            ln -sf %{name}-default.conf %{_sysconfdir}/%{name}/dnssec-trigger.conf || :
+            ;;
+        esac
+fi
+
 
 %clean
 rm -rf ${RPM_BUILD_ROOT}
@@ -142,10 +165,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libexecdir}/dnssec-trigger-script
 %{_unitdir}/%{name}d.service
 %{_unitdir}/%{name}d-keygen.service
-%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf
+%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
+%attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf
 %dir %{_localstatedir}/run/%{name}
 %{_tmpfilesdir}/%{name}.conf
 %{_mandir}/man8/dnssec-trigger*
@@ -159,6 +184,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.2.20150714svn
+- Provide Workstation specific configuration
+
 * Wed Jul 15 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.1.20150714svn
 - split dnssec-trigger panel into separate subpackage (#1236363)
 - SPEC file cleanup based on rpmlint and fedora-review issues